Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.
Published: 2026-03-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the scope path handling of the SciTokens library. The enforcer checks whether a requested path is covered by a token’s scope by performing a simple prefix match. This logic allows a token granted access to a specific path (for example, "/john") to also access any sibling paths that share that prefix (such as "/johnathan" or "/johnny"). Consequently, an attacker with a valid token for a given path can illicitly gain access to unrelated resources, violating confidentiality and integrity. The weakness corresponds to improper authorization enforcement, identified as CWE‑285.

Affected Systems

All users of the SciTokens reference library whose installations are older than version 1.9.6 are affected. The vulnerability applies to the scitokens scitokens_library product. Upgrading to the released 1.9.6 version or newer resolves the issue.

Risk and Exploitability

The CVSS score of 8.1 classifies this as a high‑severity flaw. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation, and the flaw is not listed in CISA’s KEV catalog. Exploitation requires the attacker to possess a valid token for a path that conflicts with the desired resource; once that token is available, malicious callers can request sibling paths and benefit from the broken prefix validation. If an attacker can obtain or forge such a token, they can bypass authorization controls permanently on the affected system.

Generated by OpenCVE AI on April 3, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SciTokens library to version 1.9.6 or newer to correct the scope path validation logic.
  • Verify that existing tokens are re‑issued or invalidated if they granted access to paths that could be confused by the prefix rule.
  • Audit application code to ensure no custom authorization logic uses the old prefix check logic.
  • Monitor token usage and logs for anomalous access patterns that might indicate exploitation after an update.

Generated by OpenCVE AI on April 3, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w8fp-g9rh-34jh SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking
History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Scitokens scitokens Library
CPEs cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:*
Vendors & Products Scitokens scitokens Library

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Scitokens
Scitokens scitokens
Vendors & Products Scitokens
Scitokens scitokens

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.
Title SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Scitokens Scitokens Scitokens Library
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:30:14.705Z

Reserved: 2026-03-13T14:33:42.825Z

Link: CVE-2026-32716

cve-icon Vulnrichment

Updated: 2026-03-31T15:30:10.283Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T03:15:57.143

Modified: 2026-04-03T18:01:06.267

Link: CVE-2026-32716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:15Z

Weaknesses